Ninja-forms < 3.11.1 – Unauthenticated PHP Object Injection | CVE 2025-9083 | Plugin Vulnerabilities

Description

The plugin unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

Payload: O:8:\"StdClass\":0:{};

1. Install the plugin https://wordpress.org/plugins/ninja-forms/.

2. Create a form with a Repeatable Fieldset field and insert it into a page or post.

3. In anonymous mode, access the form page and submit it.

4. Use a proxy (such as Burp Suite) to intercept the request and replace the value of the "Repeatable Fieldset" field with the payload O:8:\"StdClass\":0:{}.

5. Observe that the submitted value is processed by the function maybe_unserialize($fieldSubmissionValue);, allowing PHP object injection.

Affects Plugins

Fixed in 3.11.1

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

wcraft

Submitter

wcraft

Verified

Yes

WPVDB ID

60b4d7fc-5d23-4dcf-bd7f-e202cabc2625

Timeline

Publicly Published

2025-08-28 (about 4 months ago)

Added

2025-08-28 (about 4 months ago)

Last Updated

2025-08-28 (about 4 months ago)

Other

Published

Title

Published

2024-04-26

Title

GiveWP – Donation Plugin and Fundraising Platform < 3.5.0 - Authenticated (GiveWP Manager+) PHP Object Injection

Published

2025-06-09

Title

TinySalt < 3.10.0 - Unauthenticated PHP Object Injection

Published

2025-07-16

Title

JetFormBuilder < 3.5.2 - Authenticated (Administrator+) PHP Object Injection

Published

2025-04-21

Title

WP FoodBakery <= 3.3 - Unauthenticated PHP Object Injection

Published

2022-12-13

Title

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection